update idp config to 4.1.0

internet2 · Mar 31, 2021 · 5e13abc · 5e13abc
1 parent 9d196a3
commit 5e13abc
Show file tree

Hide file tree

Showing 18 changed files with 789 additions and 232 deletions.
diff --git a/Workbench/idp/shibboleth-idp/conf/access-control.xml b/Workbench/idp/shibboleth-idp/conf/access-control.xml
@@ -34,7 +34,7 @@
         </entry>
 
         <!--
-        <entry key="AccessByUser">
+        <entry key="AccessByAdminUser">
             <bean parent="shibboleth.PredicateAccessControl">
                 <constructor-arg>
                     <bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" />

diff --git a/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml b/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml
@@ -1,10 +1,100 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!-- 
+    This file is an EXAMPLE policy file.  While the policy presented in this 
+    example file is illustrative of some simple cases, it relies on the names of
+    non-existent example services and the example attributes demonstrated in the
+    default attribute-resolver.xml file.
+
+    This example does contain some usable "general purpose" policies that may be
+    useful in conjunction with specific deployment choices, but those policies may
+    not be applicable to your specific needs or constraints.    
+-->
 <AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
         xmlns="urn:mace:shibboleth:2.0:afp"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
 
-    <!-- Release some attributes to an SP. -->
+    <!--
+    Example rule relying on a locally applied tag in metadata to trigger attribute
+    release of some specific attributes. Add additional attributes as desired.
+    -->
+	<AttributeFilterPolicy id="Per-Attribute-singleValued">
+	    <PolicyRequirementRule xsi:type="ANY" />
+
+	    <AttributeRule attributeID="eduPersonPrincipalName">
+	        <PermitValueRule xsi:type="EntityAttributeExactMatch"
+	            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+	            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+	            attributeValue="eduPersonPrincipalName" />
+	    </AttributeRule>
+
+	    <AttributeRule attributeID="mail">
+	        <PermitValueRule xsi:type="EntityAttributeExactMatch"
+	            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+	            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+	            attributeValue="mail" />
+	    </AttributeRule>
+	</AttributeFilterPolicy>
+
+    <!--
+    Same as above but more efficient form for an attribute with multiple values.
+    -->
+    <AttributeFilterPolicy id="Per-Attribute-Affiliation">
+        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+            attributeValue="eduPersonScopedAffiliation" />
+
+        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
+    </AttributeFilterPolicy>
+
+    <!--
+    Example rule for honoring Subject ID requirement tag in metadata.
+    The example supplies pairwise-id if subject-id isn't explicitly required.
+    -->
+    <AttributeFilterPolicy id="subject-identifiers">
+        <PolicyRequirementRule xsi:type="ANY" />
+
+        <AttributeRule attributeID="samlPairwiseID">
+            <PermitValueRule xsi:type="OR">
+                <Rule xsi:type="EntityAttributeExactMatch"
+                    attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
+                    attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                    attributeValue="pairwise-id" />
+                <Rule xsi:type="EntityAttributeExactMatch"
+                    attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
+                    attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                    attributeValue="any" />
+            </PermitValueRule>
+        </AttributeRule>
+
+        <AttributeRule attributeID="samlSubjectID">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
+                attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                attributeValue="subject-id" />
+        </AttributeRule>
+    </AttributeFilterPolicy>
+
+    <!-- Release an additional attribute to an SP. -->
+    <AttributeFilterPolicy id="example1">
+        <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />
+
+        <AttributeRule attributeID="uid" permitAny="true" />
+    </AttributeFilterPolicy>
+
+    <!-- Release eduPersonScopedAffiliation to two specific SPs. -->
+    <AttributeFilterPolicy id="example2">
+        <PolicyRequirementRule xsi:type="OR">
+            <Rule xsi:type="Requester" value="https://sp.example.org" />
+            <Rule xsi:type="Requester" value="https://another.example.org/shibboleth" />
+        </PolicyRequirementRule>
+
+        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
+    </AttributeFilterPolicy>
+
+
+    <!-- workbench SPs -->
     <AttributeFilterPolicy id="grouper">
         <PolicyRequirementRule xsi:type="Requester" value="https://grouperdemo/shibboleth" />
         <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
@@ -25,7 +115,7 @@
         <AttributeRule attributeID="uid" permitAny="true" />
         <AttributeRule attributeID="mail" permitAny="true" />
     </AttributeFilterPolicy>
-	
+
     <AttributeFilterPolicy id="midpoint">
         <PolicyRequirementRule xsi:type="Requester" value="https://midpointdemo/shibboleth" />
         <AttributeRule attributeID="uid" permitAny="true" />
@@ -37,15 +127,15 @@
         <AttributeRule attributeID="uid" permitAny="true" />
         <AttributeRule attributeID="mail" permitAny="true" />
     </AttributeFilterPolicy>
-	
-	<AttributeFilterPolicy id="shibui">
+
+    <AttributeFilterPolicy id="shibui">
         <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org/shibui" />
         <AttributeRule attributeID="uid" permitAny="true" />
-		<AttributeRule attributeID="mail" permitAny="true" />
+                <AttributeRule attributeID="mail" permitAny="true" />
     </AttributeFilterPolicy>
-	
-	<!-- Supports annotated metadata supplied by the Shibb UI -->
-	<AttributeFilterPolicy id="Per-Attribute-singleValued">
+
+      <!-- Supports annotated metadata supplied by the Shibb UI -->
+      <AttributeFilterPolicy id="Per-Attribute-singleValued">
         <PolicyRequirementRule xsi:type="ANY"/>
         <AttributeRule attributeID="eduPersonPrincipalName">
             <PermitValueRule xsi:type="EntityAttributeExactMatch"
@@ -108,6 +198,7 @@
                              attributeValue="employeeNumber" />
         </AttributeRule>
     </AttributeFilterPolicy>
-	
-	
+
+    
 </AttributeFilterPolicyGroup>
+
diff --git a/Workbench/idp/shibboleth-idp/conf/attribute-resolver.xml b/Workbench/idp/shibboleth-idp/conf/attribute-resolver.xml
@@ -1,4 +1,14 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!--
+    This file is an EXAMPLE configuration file containing some example attributes
+    based on some commonly used approaches when LDAP is the principal data source.
+     
+    Not all attribute definitions or data connectors are demonstrated, but some
+    LDAP attributes common to Shibboleth deployments (and some not so common) are
+    included.
+
+    This example is in no way usable as a substitute for reading the documentation.    
+-->
 <AttributeResolver
         xmlns="urn:mace:shibboleth:2.0:resolver"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -8,6 +18,7 @@
     <!--      Attribute Definitions                 -->
     <!-- ========================================== -->
 
+    <!-- Simple attributes are exported directly from the LDAP connector. -->
     <!-- Schema: Core schema attributes-->
     <AttributeDefinition xsi:type="Simple" id="uid">
         <InputDataConnector ref="myLDAP" attributeNames="uid"/>
@@ -24,55 +35,91 @@
     </AttributeDefinition>
 
     <!-- Schema: eduPerson attributes -->
-    <AttributeDefinition xsi:type="Simple" id="eduPersonAffiliation">
-        <InputDataConnector ref="myLDAP" attributeNames="cn"/>
-    </AttributeDefinition>
     <AttributeDefinition xsi:type="Scoped" id="eduPersonPrincipalName" scope="%{idp.scope}">
         <InputDataConnector ref="myLDAP" attributeNames="uid"/>
     </AttributeDefinition>
 
+
+    <!-- eduPerson attributes requiring post-lookup manipulation -->
+<!-- 
+
+    <AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalName">
+        <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalName"/>
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalNamePrior">
+        <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalNamePrior"/>
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}">
+        <InputDataConnector ref="myLDAP" attributeNames="eduPersonAffiliation"/>
+    </AttributeDefinition>
+-->
+
+    <!-- Schema: SAML Subject ID Attributes -->
+<!--
+    <AttributeDefinition xsi:type="Scoped" id="samlSubjectID" scope="%{idp.scope}">
+        <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}"/>
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Scoped" id="samlPairwiseID" scope="%{idp.scope}">
+        <InputDataConnector ref="computed" attributeNames="computedId"/>
+    </AttributeDefinition>
+-->
+
     <!-- ========================================== -->
     <!--      Data Connectors                       -->
     <!-- ========================================== -->
 
-    <!-- Example Static Connector -->
-    <!--
-    <DataConnector id="staticAttributes" xsi:type="Static">
-        <Attribute id="eduPersonAffiliation">
-            <Value>member</Value>
-        </Attribute>
-    </DataConnector>
-    -->
-
-    <!-- Example Relational Database Connector -->
-    <!--
-    <DataConnector id="mySIS" xsi:type="RelationalDatabase">
-        <ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
-                                         jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB" 
-                                         jdbcUserName="myid" 
-                                         jdbcPassword="mypassword" />
-        <QueryTemplate>
-            <![CDATA[
-                SELECT * FROM student WHERE gzbtpid = '$requestContext.principalName'
-            ]]>
-        </QueryTemplate>
-
-        <Column columnName="gzbtpid" attributeID="uid" />
-        <Column columnName="fqlft" attributeID="gpa" />
-    </DataConnector>
-     -->
+    <!-- Example LDAP Connector -->
 
     <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
         ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
         baseDN="%{idp.attribute.resolver.LDAP.baseDN}" 
         principal="%{idp.attribute.resolver.LDAP.bindDN}"
         principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
-        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}">
+        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
+        connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
+        responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
+        connectionStrategy="%{idp.attribute.resolver.LDAP.connectionStrategy}"
+        noResultIsError="true"
+        multipleResultsIsError="true"
+        excludeResolutionPhases="c14n/attribute"
+        exportAttributes="mail displayName sn givenName departmentNumber employeeNumber eduPersonEntitlement eduPersonAssurance">
         <FilterTemplate>
             <![CDATA[
                 %{idp.attribute.resolver.LDAP.searchFilter}
             ]]>
         </FilterTemplate>
+        <ConnectionPool
+            minPoolSize="%{idp.pool.LDAP.minSize:3}"
+            maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
+            blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
+            validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
+            validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
+            validateDN="%{idp.pool.LDAP.validateDN:}"
+            validateFilter="%{idp.pool.LDAP.validateFilter:(objectClass=*)}"
+            expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"/>
     </DataConnector>
 
+    <!--
+    DataConnector for pairwise-id (example depends in part on saml-nameid.properties).
+    Note that this relies on BASE32 encoding in accordance with the attribute definition.
+    Older uses of this plugin for legacy eduPersonTargetedID/NameID values may require
+    different settings.
+    -->
+<!-- 
+    <DataConnector id="computed" xsi:type="ComputedId"
+        excludeResolutionPhases="c14n/attribute"
+	    generatedAttributeID="computedId"
+	    salt="%{idp.persistentId.salt}"
+	    algorithm="%{idp.persistentId.algorithm:SHA}"
+        encoding="BASE32">
+	    
+        <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}" />
+        
+	</DataConnector>
+-->
+
 </AttributeResolver>
+